Hacking the ISTE18 Smart Badge

I was curious how the ISTE 2018 Conference Smart Badge worked (and I saw other questions on Twitter speculating on the same question), so I spent a couple of hours trying to hack it. I don’t claim to be any kind of expert here, but what I found (so far) was pretty interesting.

The ISTE Smart Badge is enclosed in a flat plastic case. It measures about 1″ x 1/2″, is about as deep as a quarter, and looks like this:

Figure 1

Upon registration check in, the ISTE attendant first scans the unique QR code on your participant name badge (printed out along with tickets to various give-aways and events) to associate it with your conference registration record. Then, they scan your smart badge QR code and physically attach it to your name badge with sticky tape. The QR code of the smart badge reports the same SN (serial number, presumably) printed on the front of the badge.

As an aside, to use the conference mobile app, you need to enter a unique code, too. This allows ISTE to associate your name badge QR code, your smart badge, and your mobile app all to your registration record.

With some fine motor skills, it is possible to pry open the plastic case to reveal the innards of the smart badge.

Figure 2

Inside its case, it is mostly a standard CR2016 lithium battery, powering a Bluetooth low energy (LE) system-on-chip (SoC). The chip is a Nordic nRF51822 and the gold scroll pattern (upper-left) is the antenna.

How does it work?

Knowing the device was Bluetooth LE, I explored a variety of ways to communicate with it. The most straightforward was to go to the iOS app store and look for apps. With some trial and error, I found one that yielded some results: LightBlue Explorer.

Upon launching the app, it begins scanning for Bluetooth LE devices with which it can communicate.

Figure 3

So, this is interesting. I previously wrote about the company behind the smart badge and recalled its name was….EventBit. Drilling into the data that the app provides, two other things become immediately clear:

Each badge transmits a unique identifier, including a human readable name (“eventBit”) followed by a 5-digit identifier.

The 5-digit identifier is the same as the SN printed on the front of the smart badge.

So, this means that if you – or anyone else – knows your smart badge SN, they can read data being transmitted from your badge (or know if it is in range) and associate it with you. (Of note, since my badge is in a Faraday bag, ALL of the badges in the image above are from my neighbors in the nearby rooms in my hotel. Let the implications of that sink in…)

What else does the badge reveal?

The badge transmits data that is generic to all ISTE smart badges, as well as data that is specific to each participant’s badge. The generic data reports:

Regulatory Certification Data List: 11223344 55667788 99aabbcc ddee (clearly not being used for its intended purpose)

This is super helpful information as a search on the model number reveals the user manual. The user manual offers all sorts of interesting technical specifications, including that:

the badge transmits to a maximum range of 50 meters;

the badge is not constantly transmitting, but cycles on and off to save battery life and also so as reduce conflicts with other devices that may also be transmitting in the same area;

each badge transmits the following unique data:

smart badge ID information

battery level

proximity to the receiver (as measured by signal strength)

This last item suggests that the more receivers there are, the more precisely a smart badge’s location can be determined (especially if triangulation is used). Location tracking seems pretty good, but not perfect. With sufficient receivers, the smart badge should allow its wearers to be tracked within a few meters.

Over the next few days, I’ll be on the lookout for the receivers to see what I can figure out about them. I feel pretty good about what I was able to glean about the badges so far (and happy that I’ve chosen not to wear mine), but any further investigations are going to have to wait for the morning.